tags:

views:

211

answers:

5
+5  Q: 

Why aren't original passwords stored?

I am new to web development. Am I allowed to store users' original passwords? I know good practice is to store the hashed password using a salt, but why don't we store the original password?

Is it because the database is easily hacked, so hashing protects passwords? Are there any other reasons? If not, I would like to store the original password if it is legal to do so.

+13  A: 

The legality depends on the country you live in. But there are best practices, too. And a best practice is to encrypt user's passwords. In this way, if someone breaks into your database, they will not be able to obtain the long list of passwords, and try each one of them in ebay, yahoo mail, and gmail. Users generally use the very same pair of username and passwords for many sites.

As Jon points in the comment, of course there is difference between hashing and encrypting. Hashing is a one-way, data-destructive process, which takes an arbitrary-length string as input, and outputs a fixed-length string. This string is defined in such a way, that changing any single bit in the original input, will cause the hash to be different. If you have a hash, therefore, it is not possible to reconstruct the original text (i.e. it is not possible to recover the password).

On the other hand, encryption proper is a technique where you can recover the original password, knowing secret keys, passwords, etc.

Usually, you want to hash passwords, not encrypt them: it's not necessary, and it is more complex to setup. You are not supposed to recover password either: you will just regenerate them.

Palantir  2010-06-24 07:02:59
Voting this one up and deleting mine. To all those stating that it's legal, I'd be very interested to know on what basis you assert this. You must be _very_ good lawyers to know every law planet-wide.
paxdiablo  2010-06-24 07:17:54
I think it would be worth spelling out the difference between encryption and hashing, and when to use each one. If you need to be able to recover a user's password, you would use encryption. If not, then hashing would be a better choice.
Jon B  2010-07-09 14:33:20
@Jon: Yes that's right. I edited it and elaborated a bit.
Palantir  2010-07-09 14:58:58
A: 

Yes, it's perfectly legal, though absolutely not recommended to store passwords in plaintext. And it's not that your actual live database can be compromised: even a backup copy can be stolen (without you ever knowing it).

When passwords are stolen, this is very bad for your actual users, since very few of them actually use different passwords for different sites.

Anton Gogolev  2010-06-24 07:03:24
Under what jurisdiction exactly are you claiming this is legal? Are you an international lawyer (or a lawyer of _any_ sort)?
paxdiablo  2010-06-24 07:21:29
A: 

It is legal according to the law. Some companies store the password in plain text, so that it is recoverable.

However, for safety reasons this is a bad idea. Once in a while, some company gets hacked and their database is accessed. In some cases, this exposes the passwords of thousands of users. This will severely damage the image of your company, and is even more a security risk when the password is not hashed.

If you want the password to be recoverable, at least encrypt it so that it is not easily viewable by accessing the database.

Sjoerd  2010-06-24 07:04:37
Under what jurisdiction exactly are you claiming this is legal? Are you an international lawyer (or a lawyer of _any_ sort)?
paxdiablo  2010-06-24 07:21:53
"Some companies do this" doesn't imply "and thus it must be legal". It could also mean "some companies are breaking the law".
Piskvor  2010-08-18 13:01:25
+1  A: 

Imagine if Facebook was hacked, it didnt encrypt any of the user's passwords. Facebook itself has around 200 millions(?) users

What if all of the 200 million passwords were leaked to some evil organization? Many users use same password as their mails or any other sensitive online services such as bank accounting.

Facebook wouldn't be safe at all once. Would you register an account there?

Wai Wong  2010-06-24 07:08:13
(1) People who use the same passwords at multiple sites are idiots. (2) I wouldn't register an account at Facebook anyway. Not because it's insecure, just because I consider my friends to be those I like spending time with, not some clown at the other end of a CAT5 cable :-)
paxdiablo  2010-06-24 07:11:26
@paxdiablo: (1) You're right, but sadly they exist and should be taken into account if you want to store them. (2) I agree here two, but I also can understand the people who want to use Facebook. But it's still no reason two save an unecrypted password.
jigfox  2010-06-24 07:15:48
No, I agree with you @Wai and, since you're not one of the crowd who stated it was legal (with no backing authority), an upvote for you as well.
paxdiablo  2010-06-24 07:19:47
@paxdiablo, (2) is subjective, you cant tell people what they should do or not, unless you are a boss of a company and tell your employees to do stuff for your :D(1) as Jens mentioned, they exist sadly. they cant be cured for their carelessness, unless they get hacked or something.and thanks for upvote :)
Wai Wong  2010-06-24 07:22:08
Using same password for multiple sites (especially sites you don't care much) is not due to individual "stupidity". It happens because we are dealing with human beings, who have a very limited memory, and very limited means to generate and remember "random strings". I am not saying "it's good". I am saying that we as developers need to take those human factors into play, and face the reality. Of course, people using the same pass for their handful "vital" sites (those dealing with your money for example) ARE idiots ;-)
Palantir  2010-06-24 07:43:22
+1  A: 

I don't know if it's legal, but nonetheless I would advise against it for at least three reasons:

  1. This is not only about hackers getting access to your passwords. Users often have the same password for multiple accounts (also they shouldn't have). So who says we can trust you or other people who have legal access to this data?
  2. It doesn't matter how secure you think your server is. There is no such thing as absolut security for a server. You should consider that it could be hacked eventually. And don't believe it'll never happen. Hope for the best, but always plan for the worst!
  3. I would use every easy and cheap security I can get to secure not only my data, but also the data of the users. And the method of using a salt+hash is cheap. It will cost you 2 lines of Code. It
jigfox  2010-06-24 07:08:51

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security